diff --git a/conf/master b/conf/master index 5179f42ebc5..3e7cdef7f7b 100644 --- a/conf/master +++ b/conf/master @@ -350,7 +350,7 @@ # the autosign_file and the auto_accept setting. #autoreject_file: /etc/salt/autoreject.conf -# If the autosign_grains_dir is specified, incoming keys from minons with grain +# If the autosign_grains_dir is specified, incoming keys from minions with grain # values matching those defined in files in this directory will be accepted # automatically. This is insecure. Minions need to be configured to send the grains. #autosign_grains_dir: /etc/salt/autosign_grains diff --git a/conf/suse/master b/conf/suse/master index ddc574e7655..427dbdf002f 100644 --- a/conf/suse/master +++ b/conf/suse/master @@ -302,7 +302,7 @@ syndic_user: salt # the autosign_file and the auto_accept setting. #autoreject_file: /etc/salt/autoreject.conf -# If the autosign_grains_dir is specified, incoming keys from minons with grain +# If the autosign_grains_dir is specified, incoming keys from minions with grain # values matching those defined in files in this directory will be accepted # automatically. This is insecure. Minions need to be configured to send the grains. #autosign_grains_dir: /etc/salt/autosign_grains diff --git a/salt/modules/x509.py b/salt/modules/x509.py index b30bbd96034..5846224fec4 100644 --- a/salt/modules/x509.py +++ b/salt/modules/x509.py @@ -126,7 +126,7 @@ def _fix_ctx(m2_ctx, issuer=None): def _new_extension(name, value, critical=0, issuer=None, _pyfree=1): ''' - Create new X509_Extension, This is required because M2Crypto + Create new X509_Extension, this is required because M2Crypto doesn't support getting the publickeyidentifier from the issuer to create the authoritykeyidentifier extension. ''' @@ -595,7 +595,7 @@ def read_certificate(certificate): def read_certificates(glob_path): ''' - Returns a dict containing details of a all certificates matching a glob + Returns a dict containing details of all certificates matching a glob glob_path: A path to certificates to be read and returned. @@ -658,8 +658,8 @@ def read_crl(crl): :depends: - OpenSSL command line tool - csl: - A path or PEM encoded string containing the CSL to read. + crl: + A path or PEM encoded string containing the CRL to read. CLI Example: @@ -754,17 +754,17 @@ def write_pem(text, path, overwrite=True, pem_type=None): PEM string input to be written out. path: - Path of the file to write the pem out to. + Path of the file to write the PEM out to. overwrite: - If True(default), write_pem will overwrite the entire pem file. + If ``True`` (default), write_pem will overwrite the entire PEM file. Set False to preserve existing private keys and dh params that may - exist in the pem file. + exist in the PEM file. pem_type: The PEM type to be saved, for example ``CERTIFICATE`` or ``PUBLIC KEY``. Adding this will allow the function to take - input that may contain multiple pem types. + input that may contain multiple PEM types. CLI Example: @@ -818,10 +818,10 @@ def create_private_key(path=None, Length of the private key in bits. Default 2048 passphrase: - Passphrase for encryting the private key + Passphrase for encrypting the private key cipher: - Cipher for encrypting the private key. Has no effect if passhprase is None. + Cipher for encrypting the private key. Has no effect if passphrase is None. verbose: Provide visual feedback on stdout. Default True @@ -878,7 +878,7 @@ def create_crl( # pylint: disable=too-many-arguments,too-many-locals :depends: - PyOpenSSL Python module path: - Path to write the crl to. + Path to write the CRL to. text: If ``True``, return the PEM text without writing to a file. @@ -886,14 +886,14 @@ def create_crl( # pylint: disable=too-many-arguments,too-many-locals signing_private_key: A path or string of the private key in PEM format that will be used - to sign this crl. This is required. + to sign the CRL. This is required. signing_private_key_passphrase: Passphrase to decrypt the private key. signing_cert: A certificate matching the private key that will be used to sign - this crl. This is required. + the CRL. This is required. revoked: A list of dicts containing all the certificates to revoke. Each dict @@ -1127,9 +1127,9 @@ def create_certificate( Default ``False``. overwrite: - If True(default), create_certificate will overwrite the entire pem + If ``True`` (default), create_certificate will overwrite the entire PEM file. Set False to preserve existing private keys and dh params that - may exist in the pem file. + may exist in the PEM file. kwargs: Any of the properties below can be included as additional @@ -1139,7 +1139,7 @@ def create_certificate( Request a remotely signed certificate from ca_server. For this to work, a ``signing_policy`` must be specified, and that same policy must be configured on the ca_server. See ``signing_policy`` for - details. Also the salt master must permit peers to call the + details. Also, the salt master must permit peers to call the ``sign_remote_certificate`` function. Example: @@ -1200,7 +1200,7 @@ def create_certificate( public_key: The public key to be included in this certificate. This can be sourced - from a public key, certificate, csr or private key. If a private key + from a public key, certificate, CSR or private key. If a private key is used, the matching public key from the private key will be generated before any processing is done. This means you can request a certificate from a remote CA using a private key file as your @@ -1264,7 +1264,7 @@ def create_certificate( X509v3 Subject Alternative Name crlDistributionPoints: - X509v3 CRL distribution points + X509v3 CRL Distribution Points issuingDistributionPoint: X509v3 Issuing Distribution Point @@ -1324,7 +1324,7 @@ def create_certificate( signing_policy: A signing policy that should be used to create this certificate. Signing policies should be defined in the minion configuration, or in - a minion pillar. It should be a yaml formatted list of arguments + a minion pillar. It should be a YAML formatted list of arguments which will override any arguments passed to this function. If the ``minions`` key is included in the signing policy, only minions matching that pattern (see match.glob and match.compound) will be @@ -1385,11 +1385,11 @@ def create_certificate( passphrase=kwargs['public_key_passphrase'])).replace('\n', '') # Remove system entries in kwargs - # Including listen_in and preqreuired because they are not included + # Including listen_in and prerequired because they are not included # in STATE_INTERNAL_KEYWORDS # for salt 2014.7.2 for ignore in list(_STATE_INTERNAL_KEYWORDS) + \ - ['listen_in', 'preqrequired', '__prerequired__']: + ['listen_in', 'prerequired', '__prerequired__']: kwargs.pop(ignore, None) # TODO: Make timeout configurable in Neon certs = __salt__['publish.publish']( @@ -1712,7 +1712,7 @@ def verify_private_key(private_key, public_key, passphrase=None): public_key: The public key to verify, can be a string or path to a PEM formatted - certificate, csr, or another private key. + certificate, CSR, or another private key. passphrase: Passphrase to decrypt the private key. @@ -1739,7 +1739,7 @@ def verify_signature(certificate, signing_pub_key=None, signing_pub_key: The public key to verify, can be a string or path to a PEM formatted - certificate, csr, or private key. + certificate, CSR, or private key. signing_pub_key_passphrase: Passphrase to the signing_pub_key if it is an encrypted private key. diff --git a/salt/states/x509.py b/salt/states/x509.py index d44f85db17f..3774f7d5eb0 100644 --- a/salt/states/x509.py +++ b/salt/states/x509.py @@ -6,7 +6,7 @@ Manage X509 Certificates :depends: M2Crypto -This module can enable managing a complete PKI infrastructure including creating private keys, CA's, +This module can enable managing a complete PKI infrastructure including creating private keys, CAs, certificates and CRLs. It includes the ability to generate a private key on a server, and have the corresponding public key sent to a remote CA to create a CA signed certificate. This can be done in a secure manner, where private keys are always generated locally and never moved across the network. @@ -94,7 +94,7 @@ the mine where it can be easily retrieved by other minions. The signing policy defines properties that override any property requested or included in a CRL. It also -can define a restricted list of minons which are allowed to remotely invoke this signing policy. +can define a restricted list of minions which are allowed to remotely invoke this signing policy. /srv/salt/signing_policies.conf @@ -117,7 +117,7 @@ can define a restricted list of minons which are allowed to remotely invoke this This state will instruct all minions to trust certificates signed by our new CA. -Using jinja to strip newlines from the text avoids dealing with newlines in the rendered yaml, +Using Jinja to strip newlines from the text avoids dealing with newlines in the rendered YAML, and the :mod:`sign_remote_certificate ` state will handle properly formatting the text before writing the output. @@ -266,8 +266,8 @@ def private_key_managed(name, Cipher for encrypting the private key. new: - Always create a new key. Defaults to False. - Combining new with :mod:`prereq `, or when used as part of a `managed_private_key` can allow key rotation whenever a new certificiate is generated. + Always create a new key. Defaults to ``False``. + Combining new with :mod:`prereq `, or when used as part of a `managed_private_key` can allow key rotation whenever a new certificate is generated. overwrite: Overwrite an existing private key if the provided passphrase cannot decrypt it. @@ -283,7 +283,7 @@ def private_key_managed(name, Example: - The jinja templating in this example ensures a private key is generated if the file doesn't exist + The JINJA templating in this example ensures a private key is generated if the file doesn't exist and that a new private key is generated whenever the certificate that uses it is to be renewed. .. code-block:: jinja @@ -382,7 +382,7 @@ def certificate_managed(name, Manages the private key corresponding to the certificate. All of the arguments supported by :py:func:`x509.private_key_managed ` are supported. If `name` is not - speicified or is the same as the name of the certificate, the private + specified or is the same as the name of the certificate, the private key and certificate will be written together in the same file. append_certs: @@ -595,14 +595,14 @@ def crl_managed(name, Path to the certificate signing_private_key - The private key that will be used to sign this crl. This is + The private key that will be used to sign the CRL. This is usually your CA's private key. signing_private_key_passphrase Passphrase to decrypt the private key. signing_cert - The certificate of the authority that will be used to sign this crl. + The certificate of the authority that will be used to sign the CRL. This is usually your CA's certificate. revoked @@ -618,8 +618,8 @@ def crl_managed(name, of pyOpenSSL less than 0.14. days_remaining : 30 - The crl should be automatically recreated if there are less than - ``days_remaining`` days until the crl expires. Set to 0 to disable + The CRL should be automatically recreated if there are less than + ``days_remaining`` days until the CRL expires. Set to 0 to disable automatic renewal. include_expired : False